370 likes | 397 Views
Explore web application exploits, vulnerabilities, and security strategies in computer science and engineering. Topics include XSS, malware, session hijacking, and more. Understand HTTP protocols, status codes, and secure communication practices.
E N D
Web Application Exploits Computer Science and Engineering
Reading • Required: • Stuttard and Pinto: Chapter 3 • Review: OWASP: 2013 Top 10 List, https://www.owasp.org/index.php/Top_10_2013-Top_10 • Recommended: cool tutorials • Google Gruyere Codelab tutorial by Bruce Leban, Mugdha Bendre, and Parisa Tabriz, http://google-gruyere.appspot.com/part1#1__setup • How To Break Web Software - A look at security vulnerabilities in web software, http://www.youtube.com/watch?v=jXP7b-xby6U • DEFCON 19: Web Application Analysis With Owasp Hatkit, http://www.youtube.com/watch?v=JjJQ9b80xsE&feature=relmfu Computer Science and Engineering
Web security: primary target to attacks • Web Application technologies • Client side • Server side • Application • Transfer protocol • Common vulnerabilities Computer Science and Engineering
Web Application Architecture XSS Malware Session hijack Redirection … Web service Injection attacks Information leakage DOS Unauth. modification Communication security Database Web server Auth. service Access control client Forged credentials Unauthorized access Computer Science and Engineering
Client Side • Request resources – http requests • Technologies to support functionality • Browser • HTML • Hyperlinks • Forms • Scripts • Custom client components Computer Science and Engineering
Server side • Receive client request, URL query string, HTTP cookies, or in request body • Technologies to supply functionality: • Scripting languages: PHP, VBScript, Perl • Web application platform: ASP.NET, Java • Web Servers: Apache, IIS, Netscape Enterprise • DBMS: Oracle, MySQL, SQL-Server, • Back-end components Computer Science and Engineering
The HTTP Protocol • Hyper Text Transfer Protocol • Stateless • Application layer protocol -- Layered on top of TCP • Client Server Model • Request-response communication • Originally developed to retrieve static text-based resources Computer Science and Engineering
HTTP Request • Request line • HTTP method • Requested URL • HTTP version • Header lines • Host, Referer, Cookie, User-Agent, Connection, etc. • Request body Computer Science and Engineering
GET • Passes all request data in the URL query line • GET /search?q= Web+Technologies HTTP/1.1 • Host: www.cse.edu… Computer Science and Engineering
Post • Passes all data in the HTTP request body • POST /search?HTTP/1.1 • Host: www.cse.edu… • q= Web+Technologies Computer Science and Engineering
HTTP Response • Status line • HTTP version • Numeric status call indicating the result of the request • Txt reason phrase describing the status of the response • Header lines • Server (web server software), Pragma (for the browser), Expires (content), Content-Type, Content-Length • Response body Computer Science and Engineering
Status Codes • 1xx – Informational • 2xx – the request was successful • 3xx – the client is redirected to a different resource • 4xx – the request contains an error of some kinds • 5xx – the server encountered an error fulfilling the request Computer Science and Engineering
Commons Status Codes • 200: OK • 302: Location redirection • 401: client is unauthorized for the resource • 403: forbidden even if the client has the credentials • 404: not found • 500: internal server error caused by the request Computer Science and Engineering
Issues for HTTP Methods • GET – retrieves a resources • Send parameters to the requested resource • Be Aware! URLs are stored and displayed -> do not include sensitive data in the query string • POST – performs an action • Request parameters sent in the URL query string or in message body • Be Aware! Back button use warning • Other methods: Head, Trace, Put, etc. Computer Science and Engineering
HTTPS • HTTP tunneled through SSL • HTTP Proxies • Using HTTP • Using HTTPS • Proxy is a man-in-the-middle • Pure TCP level relay Computer Science and Engineering
HTTP Authentication • Basic: sends user credentials as a Base64-encoded string in a request header • NTLM: Challenge-response using Windows NTLM protocol • Digest: challenge-response using MD5 and checksum of a nonce with the user’s credentials Computer Science and Engineering
State and Session • Client and server exchange and process data • Application needs to maintain the state of each user interactions • Server side structure: session • Client side: sent by the server and protected from tampering • Stateless HTTP token to identify user sessions Computer Science and Engineering
HTTP Vulnerabilities • Header-based attacks: not very common • Headers are simple • Any command or response that is not valid, ignored • Header are free form several options on how to interpret data • Buffer overflow may occur • Client- and server side executables : data may be passed to other applications Computer Science and Engineering
HTTP Vulnerabilities 2. • Protocol-based attacks: most common • Incorrect authentication • Access directories (username/password) by stolen credentials • Authentication travels as clear text • Challenge response • Cookes • Spoofing attacks Computer Science and Engineering
HTTP Vulnerabilities 3. • Traffic-based attacks • Denial of Service attacks • Traffic privacy violations Computer Science and Engineering
Web Application Characteristics Computer Science and Engineering
Functionality • Server side technologies: • Scripting languages • Web application platform • Web server software • Databases • Back-end components • Client-side technologies: • Browser Extension technologies Computer Science and Engineering
Application Characteristics • Understand what application does and how it behaves • Content • Functionality • Find out: • Application behavior • Core security mechanisms • Technologies being used • Client side • Server side Computer Science and Engineering
Enumerating Content and Functionality • Manual vs. automated browsing • Walk through the application • Follow every link • Navigate through multistage functions • Web spidering • Tools to follow all links until no new content is found • Can parse static HTML, multi-stage functionality, form-based navigation, client-side JavaScript Computer Science and Engineering
Robots.txt • Web servers maintain in root • Contains list of URLs not available for web spiders • Can be used by spiders as the seed • References to sensitive functionality Computer Science and Engineering
Automated Spidering • E.g., Burp Spider, WebScarab • General limitations: • Cannot handle dynamically created menus • Limited depth to find links • May fail input validation for multistage functionality • Unique content is identified by URL not good for form-based navigation • May fail authentication session Computer Science and Engineering
User Directed Spidering • User walks through the application and uses a spider to collect and analyze findings • Good for • Unusual or complex navigation needs • User control of input data • User can login to application and pass authentication • User can decide on requested functions Computer Science and Engineering
Hacking Steps 1. • Configure browser to use spider • Browse the application normally • Visit every link • Proceed through multi-stage functions • JavaScrip enabled/disabled; cookies enabled/disabled • Review site map to identify non-visited content • Do an automated spidering Computer Science and Engineering
Discovering Hidden Content • Not directly linked to or reachable from the main page • E.g., testing and debugging content, different functionality for different types of users, backup copies, archives, old version of files, default application functionality, log files, etc. • Added attack points, sensitive content, etc. • Automated, brute-force attack: Burp Intruder Computer Science and Engineering
Hacking Steps 2 • Make unusual requests and identify response • Use site map to identify hidden content • Use brute-force attacks to identify how application handles requests • Manually review responses • Inferencing from published content (e.g., naming) • Compile list of names of subdirectories • Identify naming schemes, file extensions • Review all client side code • Look at temporary files • Burp: Content Discovery – automate attack Computer Science and Engineering
Use Public Information • Find old resources • Search Engines: • Advanced Search: resource, login, links, related • Google domains • Omitted results • Cashed versions • Other domains of the same organization • Web archives, e.g., WayBack Machine Computer Science and Engineering
Web Server Vulnerabilities • Web server software vulnerability • Default content • Sample and diagnostic scripts • Standard functionality • Wikto: a tool that checks for flaws in web servers • http://sectools.org/tool/wikto/ Computer Science and Engineering
Additional Mappings • Functional paths • URL query parameters, REST-style URLs • Discovering Hidden Parameters • Try default parameter names, e.g, debug, test, hide, etc. • Monitor responses to identify anomalies • Analyzing Applications • Functionality, behavior, security • Server side functionality Computer Science and Engineering
Mapping the Attack Surface • Use the results of the analysis to find vulnerabilities Computer Science and Engineering
SOA Service Communication • Simple Object Access Protocol (SOAP)-based • REST based (no additional messaging layer) • Communication over HHTP Computer Science and Engineering
Industry standards • XML • XML encryption • XML Signature • Canonical XML • Decryption Transformation for XML Signature • WS-Security • Security Assertion Markup Language (SAML) Computer Science and Engineering
Next Class • XML, RDF, Web application security Computer Science and Engineering